Call a function from an injected DLL

First off I would like to say, that I am not trying to hack a game. I am actually employed by the company whose process I am trying to inject. :)

I would like to know how to call a function from an already injected DLL.

So, I have successfully injected and loaded my DLL in the target using CreateRemoteThread(). Below you can see a snippet of the injection:

private static bool Inject(Process pToBeInjected, string sDllPath,out string sError, out IntPtr hwnd, out IntPtr hLibModule)
    { 
        IntPtr zeroPtr = (IntPtr)0;
        hLibModule = zeroPtr;

        IntPtr hProcess = NativeUtils.OpenProcess(
            (0x2 | 0x8 | 0x10 | 0x20 | 0x400), //create thread, query info, operation ,write, and read 
            1,
            (uint)pToBeInjected.Id);

        hwnd = hProcess;
        IntPtr loadLibH = NativeUtils.GetProcAddress( NativeUtils.GetModuleHandle("kernel32.dll"),"LoadLibraryA");

        IntPtr dllAddress = NativeUtils.VirtualAllocEx(
            hProcess,
            (IntPtr)null,
            (IntPtr)sDllPath.Length, //520 bytes should be enough 
            (uint)NativeUtils.AllocationType.Commit |
            (uint)NativeUtils.AllocationType.Reserve,
            (uint)NativeUtils.MemoryProtection.ExecuteReadWrite);

    byte[] bytes = CalcBytes(sDllPath);
        IntPtr ipTmp = IntPtr.Zero;

        NativeUtils.WriteProcessMemory(
            hProcess,
            dllAddress,
            bytes,
            (uint)bytes.Leng开发者_如何学Cth,
            out ipTmp);


        IntPtr hThread = NativeUtils.CreateRemoteThread(
            hProcess,
            (IntPtr)null,
            (IntPtr)0,
            loadLibH, //handle to LoabLibrary function
            dllAddress,//Address of the dll in remote process
            0,
            (IntPtr)null);

        uint retV= NativeUtils.WaitForSingleObject(hThread, NativeUtils.INFINITE_WAIT);
        bool exitR = NativeUtils.GetExitCodeThread(hThread, out hLibModule);
        return true;
    }

Note: Error checking and freeing resources were removed for brevity, but rest assured I check all the pointers and free my resources.

After the function above exits, I have a non-zero module handle to my DLL returned by LoadLibrary through hLibModule, meaning that the DLL was loaded correctly.

My DLL is a C# class library meant to show a message box (for testing). I have tried testing the function and the message box pops up. It looks like this:

 public class Class1
    {
        public static void ThreadFunc(IntPtr param ) 
        {       
        IntPtr libPtr = LoadLibrary("user32.dll");

            MessageBox(IntPtr.Zero, "I'm ALIVE!!!!", "InjectedDll", 0);

        }
        [DllImport("kernel32", SetLastError = true)]
        public static extern IntPtr LoadLibrary(string lpFileName);

        [DllImport("user32.dll", CharSet = CharSet.Auto)]
        static extern int MessageBox(IntPtr hWnd, String text, String caption, int options);

} 

I compile it from Visual Studio and the DLL appears in the Debug folder. I then pass the full path of my DLL to the injector.

After injection into the target process, I don't know how to call my ThreadFunc from the injected DLL, so it never executes.

I cannot use GetProcAddress(hLibModule,"ThreadFunc") since I am out of process, so the answer must lie into calling CreateRemoteThread() somehow. Also, I have read that DllMain is no longer allowed for .NET DLLs, so I cannot get any free execution that way either.

Does anyone have any idea how to call a function from an injected DLL?

Thank you in advance.

Well, you already got a thread running inside that process. You make it do something boring, it only loads a DLL. This works completely by accident, LoadLibrary just happens to have to correct function signature.

It can do much more. That however better be unmanaged code, just like LoadLibrary(), you cannot count on any managed code running properly. That takes a heckofalot more work, you have to load and initialize the CLR and tell it to load and execute the assembly you want to run. And no, you cannot load the CLR in DllMain().

Keywords to look for are CorBindToRuntimeEx() and ICLRRuntimeHost::ExecuteInAppDomain(). This is gritty stuff to get going but I've seen it done. COM and C++ skills and generous helpings of luck required.